Thursday, March 14, 2019

If you squint, you can see the beginning of the end of the
golden age of incident response billing. I’ve seen this movie before and I know
how it ends because I lived through the golden age of eDiscovery billing.Incident response will no more go away than litigation
requiring the production and review of electronic documents, but the current billing
gold rush won’t continue indefinitely.

I left law enforcement and entered the private sector around
the time electronic discovery was really gaining steam and
interest in the legal world.This
resulted in legions of eDiscovery consulting outfits of various sizes and
abilities getting into the game and charging confiscatory prices for their
work.The billing was such during this
period where it took nothing for litigation to result in some eDiscovery
consulting outfit making six or seven figure sums for their work.Law firms and their clients eventually rebelled
against being ridden like ponies off into the sunset by the eDiscovery industry
and started to bring as much of the work in-house as they could get away with to
avoid expensive outsourcing. Electronic discovery cost containment became a
very important buzzword in the legal world.

The gold rush also brought in more competition and interest from
giant consulting firms who could offer competitive pricing and performance
because of their economies of scale and ability to invest in technology and utilize
their existing infrastructure. This resulted in quite a few small to medium
sized eDiscovery firms being bought up, merging with other firms, or just going
out of business entirely.It wasn’t that
eDiscovery went away or that it suddenly became inexpensive, but the market
eventually worked things out where the larger and more efficient firms could
offer better speed, cost, and quality to the legal world and their customers.

We’re going to see something very similar in the incident
response world. We’re still very much in the information security version of
WWII’s Happy Time
where the field of battle still greatly benefits the attacker. That isn’t changing anytime soon and maybe it
never will change.I wrote about this information
security happy time in 2011 and very little has changed since then. We just have to look at the headlines to see the
near constant reports of major breaches in all sectors of business and government.
These successes are going to continue to result in high demand for incident
response services and these services are not cheap.Many a fortune has been made in recent years
by sharp people who set up incident response consulting practices and billed
themselves into a king’s ransom. The costs associated with a breach can be immense
due to the costs of the technical response itself, resulting litigation, paying
for identity theft protection if personally identifying data was involved, and everything
else associated with recovering from a breach including potentially rebuilding
all or some of the impacted organizations information technology infrastructure.

These costs have created a growing cyber insurance market
where organizations are making cyber insurance part of their risk management
process and basically paying the insurance companies to help shoulder the risk
for them.The key rule to understand in
an arrangement like this is the age old one that says that “He who pays the
piper calls the tune.”When a breach
happens, the insurance companies will be the ones dictating the response since
they are the ones shouldering the cost. These firms will have already entered
into agreements with trusted incident response providers to provide their
services at pre-determined billing rates.The insurance companies will be driving cost containment in this area because
their financial health will depend on it.This will put an end to the current golden age of incident response
billing which will put downward pressure on the profits of organization
providing incident response capabilities and the salaries of those who work in
those organizations. I expect that we’ll see similar consolidation on the
industry where it will be hard for smaller incident response firms to survive
unless they develop practices based on providing affordable response services
to smaller entitles that might not have insurance and the resources to pay
expensive incident response fees. That said, there will still be plenty of
money to be made in this area and it’s still going to be a great industry to be
in if you are interested in developing the incident response skills that will
be in demand for a very long time to come.

In the short term, the gold rush is going to continue because
the insurance market is still developing in this area.The sun will start to set in the medium term
as the insurance industry becomes more mature in this area and an increasing
amount of breach victims are covered under some form of cyber insurance.I think we’ll also see legislation helping
drive some of the cost containment where organizations that take certain
proactive steps such as being compliant with some information security standard
or another will have their liability capped and that will also help drive costs
down.In the long term, stick a fork in
the golden rush that is the current incident response market. It will be done.

2 comments:

Billing aside, the inclusion of insurance and law firms becoming more integral to IR is continuing, even exacerbating, the issues that we've always seen with IR; that is, IR is IR, the client gets billed, move on.

So what's the big deal with this? Well, consider this...an analyst works a ransomware engagement, in their own silo. Due to collection bias and evidence aging out, the analyst isn't able to determine the IIV. Maybe they're new, and honestly don't know how to determine the IIV. Because of the IR business model and billing structure, they have to get the report out and can't bring in another analyst to "take a look" because the billable hours aren't there.

As a result, "something" gets sent to the customer. There are statements made in the report that a manager reviewing the report doesn't question, because (again, due to the business model) they really don't have the time to look into the analyst's statements.

The report goes out to the customer, and the analyst moves on to the next engagement. No case notes, no sharing, and no correlation with any of the 4 or 6 other analysts working oddly similar ransomware cases, close to or at the same time. Because the business model and billing structure don't allow it, there is no correlation between analysts or cases, no development of threat intelligence, and subsequently, no public reporting of any kind.

The business model for IR has always been an issue. Now that IR has moved from full image analysis into a more enterprise-wide approach, incorporating EDR tools as part of the response, these engagements are the best source of "ground truth", more so than can be provided by OSINT. However, the business model has always obviated the ability to publicly report, and hitching to the insurance/law firm wagon has provided just another excuse.

One of the biggest issues I've seen over time is what has NOT happened with DFIR firms...the business model used by both older and newer firms is one in which billable hours are everything. As such, there is no facility or function for strategic tracking of DFIR work. This means that a lot of extremely valuable "ground truth" data gets left "on the floor".

DFIR firms would benefit greatly if this available data were incorporated into the business itself. Unfortunately, that's not the case and it's unlikely to become part of that business model any time soon, except for extreme cases (like FireEye).